Legal

Data Processing Addendum

Last updated: April 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service available at prioritydial.com/terms entered into by and between the Customer ("Customer", "Controller", "you") and Outbound Partners L.L.C-FZ, trading as PriorityDial ("Outbound Partners", "Processor", "we", "us"), a company registered in Dubai, United Arab Emirates, in relation to PriorityDial (the "Service").

The purpose of this DPA is to set out the parties' obligations with respect to the processing of personal data in connection with the Service, in compliance with applicable data protection laws including the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 ("DPA 2018"), and the EU General Data Protection Regulation ("EU GDPR") where applicable.

This DPA is effective from the date the Customer first accesses the Service and remains in effect for the duration of the Agreement.

Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined herein have the meanings given in the Agreement.

"Applicable Data Protection Law" means all laws and regulations relating to the processing of personal data applicable to the performance of the Service, including the UK GDPR, the DPA 2018, the EU GDPR (where applicable), and the Privacy and Electronic Communications Regulations 2003 ("PECR").

"Controller" means the entity which determines the purposes and means of the processing of personal data. For the purposes of this DPA, the Customer is the Controller.

"Data Subject" means the identified or identifiable natural person to whom personal data relates.

"Personal Data" has the meaning given to "personal data" under Applicable Data Protection Law, to the extent such data is Customer Data processed by the Processor in connection with the Service.

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure or destruction.

"Processor" means the entity which processes personal data on behalf of the Controller. For the purposes of this DPA, Outbound Partners is the Processor.

"Sub-processor" means any third-party processor engaged by the Processor to process personal data on behalf of the Controller.

"Supervisory Authority" means the Information Commissioner's Office ("ICO") or, where the EU GDPR applies, the relevant supervisory authority of the applicable EU member state.

1. Roles of the Parties

The Customer is the Controller of the personal data submitted to the Service. Outbound Partners is the Processor, processing personal data on behalf of the Customer solely for the purposes of providing the Service as described in the Agreement and this DPA.

Where the Customer is itself a processor acting on behalf of a third-party controller, Outbound Partners shall be a sub-processor and this DPA shall apply accordingly. The Customer warrants that its instructions to Outbound Partners have been authorised by the relevant controller.

2. Customer Responsibilities

The Customer shall ensure that its submission of personal data to the Service and its instructions for the processing of personal data comply with Applicable Data Protection Law. The Customer is solely responsible for:

  1. The accuracy, quality and legality of the personal data submitted to the Service and the means by which it was obtained.
  2. Ensuring a valid legal basis exists for the processing of all personal data submitted, including where legitimate interest is relied upon, maintaining a documented Legitimate Interests Assessment.
  3. Providing any required transparency notices to data subjects in accordance with Articles 13 and 14 of the UK GDPR, including informing data subjects of the source of their data and the purposes for which it is being processed.
  4. Compliance with PECR and TPS/CTPS obligations when using the outputs of the Service for live marketing calls or other outreach activities.

3. Processing Purposes and Instructions

The Processor shall process personal data only in accordance with the Customer's documented instructions as set out in the Agreement and this DPA. The Processor shall not process personal data for any purpose other than the provision of the Service unless required by Applicable Data Protection Law, in which case the Processor shall inform the Customer of that legal requirement before processing (unless the law prohibits such notification).

The Customer instructs and authorises the Processor to process personal data:

  1. In accordance with the Agreement and any applicable order forms.
  2. As initiated by authorised users of the Customer's account in their use of the Service.
  3. To comply with other documented, reasonable instructions provided by the Customer where such instructions are consistent with the Agreement.

If the Processor reasonably believes that an instruction from the Customer conflicts with Applicable Data Protection Law, the Processor shall promptly notify the Customer.

4. Scope of Processing

The subject matter, duration, nature, purpose, types of personal data and categories of data subjects processed under this DPA are set out in Annex I below.

5. Confidentiality and Personnel

The Processor shall ensure that access to personal data is limited to personnel who require access for the performance of the Service ("Authorised Personnel"). Authorised Personnel shall be subject to contractual or statutory obligations of confidentiality and shall receive appropriate training on data protection responsibilities. The Processor shall take commercially reasonable steps to ensure the reliability of Authorised Personnel.

6. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. These measures are described in Annex II and include, as applicable:

  1. Encryption of personal data in transit and at rest.
  2. Access controls based on the principle of least privilege.
  3. Regular monitoring and logging of access to personal data.
  4. Secure software development practices.
  5. Regular vulnerability assessments.

The Processor shall not materially decrease the overall security of the Service during the term of the Agreement.

7. Sub-processors

The Customer authorises the Processor to engage Sub-processors to assist with the provision of the Service, subject to the following conditions:

  1. The Processor shall enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those set out in this DPA.
  2. The Processor shall remain responsible and liable to the Customer for the acts and omissions of its Sub-processors to the same extent as if the Processor were performing the services directly.
  3. The Processor shall notify the Customer by email prior to engaging any new Sub-processor or replacing an existing Sub-processor. The Customer shall have 10 business days from receipt of such notice to raise a reasonable objection. If the Customer objects and the parties cannot resolve the objection within 30 days, the Customer may terminate the affected part of the Service upon 10 days written notice.

A current list of Sub-processors is available upon request by emailing privacy@prioritydial.com.

8. Data Subject Requests

The Processor shall promptly notify the Customer if it receives a request from a data subject to exercise any of their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability or objection ("Data Subject Request"). The Processor shall not respond to a Data Subject Request without the Customer's prior written authorisation, except where required by law.

The Processor shall provide reasonable assistance to the Customer in responding to Data Subject Requests, taking into account the nature of the processing and the information available to the Processor.

9. Security Incidents

The Processor shall notify the Customer without undue delay upon becoming aware of any unauthorised or unlawful processing of, or accidental loss, destruction, alteration or damage to, personal data processed under this DPA (a "Security Incident"). Such notification shall include:

  1. A description of the nature of the Security Incident, including where possible the categories and approximate number of data subjects and personal data records concerned.
  2. The contact details of the Processor's data protection point of contact.
  3. A description of the likely consequences of the Security Incident.
  4. A description of the measures taken or proposed to address the Security Incident and mitigate its effects.

The Processor shall take reasonable steps to investigate, mitigate and remediate the cause of any Security Incident. The Processor's notification of a Security Incident shall not be construed as an acknowledgement of fault or liability.

10. Data Retention and Deletion

The Processor shall retain personal data only for the duration of the Agreement and as necessary to provide the Service. The following retention and deletion rules apply:

  1. Active accounts. Personal data submitted by the Customer is retained for the duration of the Agreement and any active campaigns associated with the Customer's account.
  2. Stale data. Contact records that have not been accessed, scored or used in a verification activity within 180 days may be automatically purged from the Service. The Customer will be notified before any automated purge takes place.
  3. Termination. Upon expiration or termination of the Agreement, all personal data submitted by the Customer will be securely deleted within 30 days, unless retention is required by Applicable Data Protection Law. The Processor shall provide written confirmation of deletion upon the Customer's request.
  4. Data subject erasure requests. Where a data subject exercises the right to erasure and the Customer instructs the Processor to delete the relevant data, the Processor shall do so without undue delay.

11. International Transfers

The Processor is established in the United Arab Emirates. To the extent that the provision of the Service involves the transfer of personal data from the United Kingdom to the UAE or any other country that has not been deemed to provide an adequate level of protection by the relevant authority, the Processor shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law. Such safeguards may include the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or any other transfer mechanism approved by the ICO.

Where the Service infrastructure is hosted within the United Kingdom or the European Economic Area, personal data shall be stored and processed within those territories. Any transfers outside those territories will be subject to the safeguards described above.

The Processor shall inform the Customer of any intended international transfers and the safeguards applied.

12. Assistance with Compliance

The Processor shall provide reasonable assistance to the Customer in ensuring compliance with the Customer's obligations under Applicable Data Protection Law, including:

  1. Assisting with data protection impact assessments where the processing is likely to result in a high risk to the rights and freedoms of data subjects.
  2. Assisting with prior consultation with the Supervisory Authority where required.
  3. Making available information necessary to demonstrate compliance with obligations under Applicable Data Protection Law.

13. Audits

The Processor shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer may, upon reasonable written notice and no more than once per calendar year (except following a Security Incident), conduct or commission an audit of the Processor's processing activities and security measures relevant to this DPA. Audits shall be conducted during normal business hours, shall not unreasonably interfere with the Processor's operations, and any third-party auditor engaged by the Customer shall be subject to confidentiality obligations acceptable to the Processor.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

15. Term

This DPA is effective from the date the Customer first accesses the Service and shall remain in effect for so long as the Processor processes personal data on behalf of the Customer. Sections of this DPA that by their nature should survive termination shall survive, including but not limited to provisions relating to confidentiality, data deletion and liability.

16. Order of Precedence

This DPA is incorporated into and forms part of the Agreement. In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA shall prevail with respect to data protection matters.

17. UK Representative

As Outbound Partners L.L.C-FZ is established outside the United Kingdom, and to the extent required by Article 27 of the UK GDPR, the Processor shall designate a representative in the United Kingdom. Details of the appointed UK representative are available upon request by emailing privacy@prioritydial.com.

18. Contact

For any questions or requests relating to this DPA, please contact:

Outbound Partners L.L.C-FZ
Registered in Dubai, UAE
Data Protection Contact: privacy@prioritydial.com

Annex I: Details of Processing

A. Data Importer (Processor)

Name
Outbound Partners L.L.C-FZ (trading as PriorityDial)
Registered address
Dubai, United Arab Emirates
Contact
privacy@prioritydial.com
Role
Processor

B. Data Exporter (Controller)

The Customer as identified in the Agreement.

C. Categories of Data Subjects

The categories of data subjects whose personal data may be processed are determined by the Customer and may include: prospects and contacts of the Customer, employees and contractors of the Customer's target organisations, and other business contacts submitted by the Customer to the Service.

D. Categories of Personal Data

Contact identifiers
First name, last name
Professional information
Job title, role, seniority, department
Organisation data
Company name, industry, company size
Contact details
Business phone numbers (direct, mobile, switchboard), business email address
Online identifiers
LinkedIn profile URL, other professional social media links
Scoring outputs
Priority classification (P1, P2, P3), verification status, reachability signals, TPS/CTPS registration status
Source metadata
Data source, enrichment provider, upload date

E. Processing Activities

  1. Contact scoring — submitted contact data is analysed and classified into priority tiers (P1, P2, P3) based on reachability and connection propensity signals.
  2. Phone number verification — phone numbers submitted by the Customer are verified using live call verification via Twilio-integrated UK mobile numbers to determine whether the number is active, reachable and connects to the intended contact.
  3. TPS/CTPS screening — phone numbers are screened against the Telephone Preference Service and Corporate Telephone Preference Service registers to identify numbers that have opted out of unsolicited marketing calls.
  4. Data storage and retrieval — scored and verified contact data is stored within the Customer's tenant within the Service and made available for retrieval and export by the Customer.
  5. Audit logging — processing activities including scoring events, verification attempts, TPS/CTPS screening results and timestamps are logged for compliance and audit trail purposes.

F. Frequency and Retention

Frequency
Continuous for the duration of the Agreement, as initiated by the Customer's use of the Service.
Retention
Contact records tied to active campaigns are retained for the campaign duration. Stale records may be purged after 180 days of inactivity. All data is deleted within 30 days of termination of the Agreement.
Supervisory Authority
Information Commissioner's Office (ICO), United Kingdom.

Annex II: Technical and Organisational Measures

1. Encryption

Personal data is encrypted in transit using TLS 1.2 or above and encrypted at rest using AES-256 or equivalent. Database backups are encrypted using the same standards.

2. Access Control

Access to personal data is restricted to Authorised Personnel on a least-privilege basis. Multi-factor authentication is required for administrative access to production systems. Access permissions are reviewed regularly and revoked promptly upon role changes or termination.

3. Multi-tenant Isolation

The Service operates a multi-tenant architecture. Each Customer's data is logically isolated within the system. Customers cannot access data belonging to other tenants.

4. Logging and Monitoring

The Processor maintains system logs including access logs, authentication events, scoring and verification activity logs, and security event logs. Logs are retained for a minimum of 12 months and are used for security monitoring, incident investigation and compliance audit purposes.

5. Secure Development

The Processor follows secure development practices including code review, separation of development and production environments, and regular dependency updates.

6. Vulnerability Management

The Processor conducts regular vulnerability assessments of the Service infrastructure and applies security patches in a timely manner based on severity.

7. Business Continuity

The Processor maintains regular automated backups and has procedures in place for disaster recovery to ensure the availability and resilience of the Service.

8. Personnel Security

All Authorised Personnel are subject to confidentiality obligations and receive training on data protection responsibilities. Access to personal data is granted only to personnel who require it for the performance of their role.

9. Physical Security

The Service is hosted on cloud infrastructure provided by reputable third-party providers who maintain industry-standard physical security controls including access restrictions, environmental controls and monitoring.

10. TPS/CTPS Screening Controls

The Processor integrates with third-party TPS/CTPS screening services to screen phone numbers before verification calls are made. Screening results are logged with timestamps to provide an auditable compliance trail. Numbers identified as registered on TPS or CTPS are flagged within the Service and blocked from verification calling. Re-screening is performed automatically at intervals consistent with ICO guidance.

11. Data Minimisation

The Processor processes only the categories of personal data necessary to deliver the Service as described in Annex I. Data that is no longer required for the stated processing purposes is deleted in accordance with the retention schedule.

12. Incident Response

The Processor maintains an incident response plan that includes procedures for identifying, containing, investigating and remediating Security Incidents. The plan includes defined escalation procedures and notification obligations as set out in Section 9 of this DPA.

13. Sub-processor Due Diligence

The Processor assesses the security posture of all Sub-processors prior to engagement and requires contractual commitments that are substantially as protective of personal data as the obligations in this DPA.